Monthly Archive:: Dezember 2019

I did a detailed privacy check of the app TikTok and its corresponding website. Multiple law infringements, trust, transparency and data protection breaches were found. I provide all technical and legal details in this article. For a less technical view, read the article at Süddeutsche Zeitung (in german). I used mitmproxy as my setup in order to re-route all app traffic for analysis. One can see in the video how the device information, usage time and list of watched videos are being sent to Appsflyer and Facebook. It is hard to believe that this is covered by „legitimate interest“ and transparency: the search terms that I entered are being forwarded to Facebook: The transfers to the two companies are clearly conflicting with the GDPR: Facebook cannot comply with article 14 regarding the rights to deletion of information etc. for this data. The data transfer to Appsflyer also lacks transparency as it is unknown to which of its more than 4500 partners the data might get transferred down the line. Bytedance’s answer to this: „We won’t show you the contracts.“ Did they even read article 26 of the GDPR? Most importantly, fundamental rights are being violated since Personally Identifying Information (PII) is transferred to a server under the control of a company residing in an unsecure, non-european country. The location of the server is irrelevant – what is important is the location of the company deciding about the data, according to Malte Engeler. Bytedance’s headquarter is located in Beijing, China. I

Update: They informed the whole audience in the stream, apologized (they had trackers blocked on their computers and didn&apos;t realize) and it looks like they removed the tracker from the setup during the running conference, which is quite amazing.

"Facebook&apos;s business model relies on optimizing everything for &apos;engagement&apos; and &apos;growth&apos; to make as many people stay as long as possible. Like yellow press on steroids, automated+personalized at global scale.It&apos;s toxic. They know it. They won&apos;t change it."https://www.wsj.com/articles/facebook-knows-it-encourages-division-top-executives-nixed-solutions-11590507499(Via https://twitter.com/WolfieChristl/status/1265391689071501313)

Just discovered that #Frida Objection has a pause switch (not well documented): objection patchapk -s example.apk --pauseApp is disassembled, then waits to get rebuild. So instead of code injections you could just change everything in a temp folder (eg manifest, smali)https://github.com/sensepost/objection/issues/305#issuecomment-574047101